[00:01.740 --> 00:05.720]  And welcome back, everybody, to DEF CON 28 Safe Mode,
[00:05.720 --> 00:07.080]  Blue Team Village.
[00:07.100 --> 00:09.280]  We have our next talk for the day.
[00:09.420 --> 00:11.960]  We're going to have Bill talking to us today.
[00:11.960 --> 00:15.580]  No question, team viewer, police, and consequence.
[00:15.880 --> 00:18.680]  So take it from there, Bill.
[00:21.190 --> 00:24.170]  Hello, everybody, and happy end of the world to you.
[00:24.210 --> 00:26.830]  The purpose of this talk is to explain a situation
[00:26.830 --> 00:29.850]  I'd found myself in last year,
[00:29.850 --> 00:33.410]  to detail a breach from the perspective of a small business.
[00:33.590 --> 00:36.550]  After the story itself, I've got a couple ideas
[00:36.550 --> 00:40.410]  relating to bringing the bigger ideas about security
[00:40.410 --> 00:42.830]  to some of our smaller clients.
[00:43.650 --> 00:46.270]  Alongside that, I wanted to make it clear to anybody
[00:46.270 --> 00:49.890]  who feels the familiar sting of the imposter syndrome
[00:50.590 --> 00:52.030]  that you're capable.
[00:52.650 --> 00:54.590]  I'm presenting this as a narrative,
[00:54.590 --> 00:58.150]  more of a story than a formal presentation.
[00:58.150 --> 01:02.150]  The overall scale of this breach is probably something much smaller
[01:02.150 --> 01:04.710]  than most of you are used to dealing with.
[01:04.890 --> 01:08.630]  But I do know that there are some people here from small businesses
[01:08.630 --> 01:12.070]  that tune into the BTV, because I'm one of them.
[01:18.070 --> 01:20.610]  Online, my name is Corvus Actual,
[01:20.610 --> 01:25.550]  and I'm the co-owner of a small four-person IT shop in Canada.
[01:25.990 --> 01:28.510]  This is the story of what a breach looks like
[01:28.510 --> 01:31.830]  for a small business, start to finish.
[01:31.830 --> 01:35.450]  So, we start about a month before the breach itself
[01:35.450 --> 01:37.670]  with my very first trip to DEF CON.
[01:37.970 --> 01:40.130]  I was overwhelmed with the opportunity.
[01:40.170 --> 01:42.430]  Everybody says when you get there, there's so much to do,
[01:42.430 --> 01:44.770]  but there really is so much to do.
[01:44.970 --> 01:47.550]  I've been watching DEF CON videos for years.
[01:48.450 --> 01:51.090]  I spent quite a bit of my time at the Blue Team Village,
[01:51.090 --> 01:53.750]  since that's at least a part of my day job.
[01:53.750 --> 01:55.490]  I wanted to see if I could pick anything up
[01:55.490 --> 01:59.510]  from between the talks, the CTF, and the people milling about.
[01:59.510 --> 02:03.070]  I was given access to the CTF VPN
[02:03.070 --> 02:05.610]  at the same table as everybody else.
[02:06.130 --> 02:09.730]  But here's the thing, I flew to DEF CON completely solo.
[02:09.970 --> 02:14.070]  So, even though I later hooked up with the Lonely Hackers Club,
[02:14.070 --> 02:15.990]  I stumbled through the first bit of the CTF
[02:15.990 --> 02:18.730]  without anybody to bounce ideas off of.
[02:18.730 --> 02:21.410]  I was absolutely thrilled to have captured
[02:21.870 --> 02:23.930]  a good handful of flags on my own,
[02:23.930 --> 02:26.130]  both sitting in the hall outside the BTV
[02:26.130 --> 02:27.630]  and later on in the weekend.
[02:28.350 --> 02:30.130]  The reason I mention this,
[02:30.130 --> 02:32.750]  though it falls outside the actual breach itself,
[02:32.750 --> 02:35.850]  is because that experience,
[02:35.850 --> 02:41.010]  maybe fueled by the mana of so many like-minded people,
[02:41.010 --> 02:43.970]  gave me the confidence to jump in there and fight it out,
[02:43.970 --> 02:45.330]  solo or not.
[02:45.330 --> 02:46.950]  I really believed that.
[02:46.950 --> 02:50.890]  I felt like I had some kind of drive or motivation
[02:50.890 --> 02:54.610]  that wouldn't have ordinarily been so handily available,
[02:54.610 --> 02:57.910]  thanks to the community behind the Blue Team Village at DEF CON.
[02:59.170 --> 03:00.590]  So fast forward a few weeks
[03:00.590 --> 03:02.110]  and I'm sitting in front of my workstation
[03:02.110 --> 03:04.050]  at about 10.30am.
[03:04.390 --> 03:05.910]  I get a call from a co-worker
[03:05.910 --> 03:08.450]  who has seen a weird log file
[03:08.450 --> 03:11.010]  that's been left on his workstation.
[03:11.290 --> 03:12.510]  He noticed this text file
[03:12.510 --> 03:14.750]  left open with a mishmash of characters,
[03:14.750 --> 03:15.990]  some sort of encryption.
[03:16.610 --> 03:18.830]  The file referenced a location on his system
[03:18.830 --> 03:20.630]  that threw a trigger in his head,
[03:20.630 --> 03:23.250]  enough to call somebody and talk it through.
[03:24.830 --> 03:27.890]  C Program Data FKL.
[03:28.070 --> 03:29.030]  After a short chat,
[03:29.030 --> 03:30.410]  we both set to work on Google
[03:30.410 --> 03:32.970]  to look for information on this folder,
[03:32.970 --> 03:35.370]  who we had just discovered was set to hidden.
[03:35.670 --> 03:37.050]  Hmm, interesting.
[03:37.510 --> 03:39.370]  After a few keyword searches,
[03:39.370 --> 03:40.830]  we found a link to a number of sites
[03:40.830 --> 03:43.590]  selling software called Family Keylogger.
[03:44.050 --> 03:44.830]  Uh-oh.
[03:45.290 --> 03:46.850]  A little deeper now,
[03:46.850 --> 03:49.710]  we started to look into the hidden folders.
[03:49.710 --> 03:52.350]  We saw logview.exe,
[03:52.350 --> 03:55.290]  the program for viewing the logged keystrokes
[03:55.290 --> 03:58.130]  as advertised by the site selling the software.
[03:58.350 --> 04:00.430]  When we clicked to open the program,
[04:00.430 --> 04:01.970]  it was password protected.
[04:02.590 --> 04:05.570]  All the usual default passwords didn't work.
[04:05.570 --> 04:07.650]  A quick Google search didn't provide any results
[04:07.650 --> 04:09.210]  for default credentials.
[04:09.770 --> 04:10.570]  Uh-oh.
[04:10.850 --> 04:12.990]  So finally, I logged into a number of other computers
[04:12.990 --> 04:14.390]  via TeamViewer.
[04:14.490 --> 04:16.770]  On all the major systems I had access to,
[04:16.770 --> 04:18.050]  we found the folder.
[04:18.050 --> 04:21.170]  I could feel that deep, gut-turning anxiety
[04:21.590 --> 04:25.410]  start to bubble up as the situation started to spin.
[04:28.920 --> 04:30.900]  I immediately tasked our other techs
[04:30.900 --> 04:33.280]  to meet at the infected client.
[04:33.600 --> 04:36.380]  They're an organization with size and scale,
[04:36.380 --> 04:38.080]  but unfortunately, not a lot of budget
[04:38.080 --> 04:40.900]  to be thrown at traditional IT security stuff.
[04:40.900 --> 04:45.560]  So, no IDS, no IPS, nothing to track logs.
[04:45.640 --> 04:47.540]  Add to that, no 2FA,
[04:47.540 --> 04:51.220]  no ongoing employee training for cybersecurity stuff,
[04:51.220 --> 04:54.200]  and minimal formal policies in place.
[04:54.900 --> 04:58.720]  So, we have these client machines,
[04:58.720 --> 04:59.600]  and they're online.
[04:59.600 --> 05:01.100]  There's an unknown number of them
[05:01.100 --> 05:03.380]  that are infected with this keylogger.
[05:03.940 --> 05:08.020]  During this time, in the course of about 40 minutes,
[05:08.020 --> 05:10.500]  my coworker hit a stroke of good luck.
[05:10.780 --> 05:13.380]  After copying out the FKL folder for backup,
[05:13.380 --> 05:15.780]  he started deleting one file at a time,
[05:15.780 --> 05:18.980]  just to see if one of the files was locking the program.
[05:19.380 --> 05:20.300]  He found it.
[05:20.360 --> 05:22.200]  Again, just by dumb luck,
[05:22.200 --> 05:26.220]  by deleting one of the files in the client subdirectory,
[05:26.220 --> 05:28.540]  he managed to unlock that database,
[05:28.540 --> 05:30.340]  showing the logged key presses,
[05:30.340 --> 05:31.680]  and most importantly,
[05:31.680 --> 05:34.860]  the vector for uninstalling the application cleanly.
[05:35.380 --> 05:37.740]  At the same time, I emailed the vendor.
[05:37.980 --> 05:40.760]  They noted, of course, that if we bought a license,
[05:40.760 --> 05:42.660]  they'd be able to unlock the application
[05:42.660 --> 05:45.720]  and provide uninstallation instructions.
[05:46.180 --> 05:50.540]  So our technicians got to work backing up found copies of the program
[05:50.540 --> 05:53.400]  and uninstalling it from infected machines,
[05:53.400 --> 05:56.220]  while I handled the servers separately.
[05:57.680 --> 06:01.060]  At this time, it was about 5 p.m.
[06:01.340 --> 06:06.080]  I was, in all sincerity, overwhelmed.
[06:06.500 --> 06:08.720]  Beyond the scope of this problem,
[06:08.720 --> 06:11.400]  our business was expected to maintain operations
[06:11.400 --> 06:15.140]  and fluidity to the rest of our support issues.
[06:15.840 --> 06:17.600]  The rest of our clients needed to be supported
[06:17.600 --> 06:20.740]  and regular business was to continue as normal.
[06:21.100 --> 06:24.100]  I was dejected. I was defeated.
[06:24.960 --> 06:29.640]  Especially after freshly returning home from Hacker Summer Camp,
[06:29.640 --> 06:31.760]  I just felt like I'd been had.
[06:35.770 --> 06:37.650]  When my wife arrived home,
[06:37.650 --> 06:40.230]  she told me to take a 20-minute break to clear my head
[06:40.230 --> 06:45.210]  before giving me the best instruction anybody in crisis could get.
[06:45.350 --> 06:49.430]  Get after it. Fix this. I know you can.
[06:50.130 --> 06:52.970]  But this is where the human side kicks in.
[06:53.470 --> 06:56.210]  This is where I feel like I've already lost.
[06:56.430 --> 07:00.030]  I know I'm going to have to provide something, anything,
[07:00.030 --> 07:02.470]  in an email to the people involved,
[07:02.470 --> 07:05.110]  and I don't know really where to start.
[07:05.110 --> 07:07.470]  I've worked in IT for more than a decade,
[07:07.470 --> 07:11.850]  but I don't have any formal certifications in security,
[07:11.850 --> 07:13.470]  or I didn't at that point.
[07:13.890 --> 07:16.730]  I felt like this was getting way past my skill set
[07:16.730 --> 07:21.330]  and into territory that I definitely wasn't comfortable with.
[07:21.510 --> 07:24.930]  I knew, though, that somebody had to start,
[07:24.930 --> 07:28.370]  so I just sort of logged in and got to work.
[07:28.370 --> 07:31.770]  Without any real direction, I just started.
[07:32.070 --> 07:34.350]  I backed up log files from TeamViewer
[07:34.350 --> 07:39.530]  before looking through any of them to a separate system for safekeeping.
[07:39.730 --> 07:43.250]  With no formal training in forensics or chain of custody,
[07:43.250 --> 07:45.730]  I figured it was a good idea in any case
[07:45.730 --> 07:49.310]  just to get copies of those log files just in case.
[07:54.030 --> 07:57.790]  In some instances, I found the TeamViewer
[07:57.790 --> 08:03.050]  date underscore log file dot log had been deleted.
[08:03.550 --> 08:05.970]  Luckily, we had offsite backups of that folder
[08:05.970 --> 08:08.310]  where we could retrieve the log files from
[08:08.310 --> 08:10.290]  before they'd been deleted.
[08:10.910 --> 08:13.650]  Secondarily, we had shadow copies as well.
[08:14.090 --> 08:16.290]  I found a couple servers where the attacker
[08:16.290 --> 08:18.930]  had deleted the log files, but strangely,
[08:18.930 --> 08:21.550]  some of them were left untouched on other servers.
[08:22.790 --> 08:26.450]  At this time, the local municipal police had become involved.
[08:26.950 --> 08:29.070]  A detective from their cybercrime unit
[08:29.070 --> 08:31.710]  had come to the main headquarters of our client
[08:31.710 --> 08:34.510]  to chat with the co-owner of our company.
[08:36.480 --> 08:39.390]  I asked my partner to let the detective know that I was digging
[08:39.390 --> 08:43.150]  to stand by for any information that I'd found.
[08:43.290 --> 08:46.870]  I recognize now that just getting started
[08:46.870 --> 08:48.930]  and just getting to work and diving in there
[08:48.930 --> 08:52.510]  without formal training could have cost the investigation.
[08:53.170 --> 08:55.350]  But in a real-life situation,
[08:55.350 --> 08:58.730]  as it was happening with real-life consequences,
[08:58.730 --> 09:00.350]  that's the decision I made.
[09:00.350 --> 09:05.530]  I just decided at that moment to dive in there and get to work.
[09:06.550 --> 09:09.390]  I started looking through the TeamViewer connection logs.
[09:09.390 --> 09:13.370]  I figured I would start with the easiest infiltration vector,
[09:13.370 --> 09:16.630]  or the easiest vector I could think of.
[09:16.870 --> 09:19.670]  The remote access application installed is unattended
[09:19.670 --> 09:21.890]  on the servers themselves.
[09:22.110 --> 09:23.710]  I considered other options.
[09:23.710 --> 09:27.450]  I was at least aware of USB rubber duckies
[09:27.450 --> 09:29.210]  that could have been preloaded with a script
[09:29.210 --> 09:30.690]  and dropped in the parking lot,
[09:30.690 --> 09:35.370]  or an installer dropped in from an exploit or something like that.
[09:35.750 --> 09:39.370]  I figured I would just start at the very bottom and work my way up.
[09:39.370 --> 09:41.850]  I'd start with what I knew how to handle.
[09:42.370 --> 09:44.230]  I scrolled through a handful of logs,
[09:44.230 --> 09:47.310]  stopping abruptly on seeing a peculiar username
[09:47.310 --> 09:49.870]  having accessed one of the servers.
[09:55.360 --> 09:57.520]  Okay, that's something.
[09:57.600 --> 10:00.120]  I made a note of the username and kept digging.
[10:00.620 --> 10:03.340]  I started noticing this username everywhere.
[10:03.340 --> 10:05.560]  And when I say everywhere, I mean in multiple TeamViewer logs
[10:05.560 --> 10:08.340]  on multiple different servers and workstations.
[10:08.740 --> 10:11.480]  Generally speaking, this user was accessing systems
[10:11.480 --> 10:14.820]  well outside of our standard operating hours.
[10:14.820 --> 10:17.640]  Most of the connections were happening around midnight,
[10:17.640 --> 10:19.340]  some of them just after.
[10:20.620 --> 10:24.480]  Many TeamViewer installs had another user added as unattended,
[10:24.480 --> 10:26.300]  named the number zero.
[10:27.200 --> 10:29.240]  We had to access every system in the agency
[10:29.240 --> 10:32.960]  to ensure this user was disallowed any further access.
[10:33.640 --> 10:36.380]  Nonetheless, I documented multiple file transfers
[10:36.380 --> 10:39.520]  and remote control sessions from this user.
[10:39.740 --> 10:42.340]  In the TeamViewer logs, I had dates and times
[10:42.340 --> 10:44.000]  with a connected username.
[10:44.000 --> 10:46.220]  I figured TeamViewer would be able to lend a hand
[10:46.220 --> 10:48.760]  in getting more information together.
[10:49.500 --> 10:53.560]  Since the client systems were all installed as unattended,
[10:53.560 --> 10:56.420]  I suspect the attacker waited to find
[10:56.420 --> 10:58.860]  one of our technician's TeamViewer credentials
[10:58.860 --> 11:02.660]  to log in and access that list of unattended systems
[11:02.660 --> 11:04.160]  in the agency.
[11:04.200 --> 11:07.360]  Without evidence, though, I can only assume.
[11:09.180 --> 11:12.360]  Alongside the detective from the cybercrime unit,
[11:12.360 --> 11:14.500]  we asked TeamViewer to help.
[11:14.860 --> 11:17.080]  We were swiftly transferred to a legal department
[11:17.080 --> 11:20.240]  who told us that since TeamViewer's servers
[11:20.240 --> 11:22.420]  were located in Germany,
[11:22.420 --> 11:25.060]  we would require international warrants
[11:25.060 --> 11:27.920]  to have any data about these connections compiled
[11:27.920 --> 11:31.380]  and sent for use in a criminal investigation.
[11:31.980 --> 11:35.300]  At the time, I thought that was just absolute bullshit,
[11:35.580 --> 11:37.420]  but I do get it.
[11:37.420 --> 11:40.100]  It was frustrating because we were in the middle
[11:40.100 --> 11:43.320]  of that scenario as it was developing,
[11:43.320 --> 11:46.180]  so I felt all this pressure on top of my shoulders
[11:46.180 --> 11:50.080]  to just summon these fixes
[11:50.080 --> 11:53.140]  with people who were not unwilling,
[11:53.140 --> 11:55.200]  but unable to help.
[11:57.630 --> 11:59.890]  I had an old contact at TeamViewer
[11:59.890 --> 12:02.530]  that I sent an urgent message to.
[12:03.150 --> 12:05.050]  He called back and lent some advice
[12:05.050 --> 12:07.990]  as to where we could look through our own log files
[12:07.990 --> 12:09.750]  for any more information.
[12:10.590 --> 12:13.230]  You have to figure we're looking at
[12:14.050 --> 12:18.730]  maybe 20 or so log files that span several years,
[12:18.730 --> 12:20.910]  sometimes two or three years,
[12:21.450 --> 12:23.590]  a real good chunk of data.
[12:23.590 --> 12:26.250]  At the time, the best I could muster
[12:26.250 --> 12:29.270]  was literally mouse-wheeling through those things,
[12:29.270 --> 12:31.610]  but I had this little indicator, that username,
[12:31.610 --> 12:33.070]  to chase after.
[12:34.370 --> 12:37.730]  During this time, over the period of about 4 to 5 hours,
[12:38.190 --> 12:40.950]  I started up my laptop and began scouring the Internet
[12:40.950 --> 12:42.510]  for OSINT.
[12:42.670 --> 12:44.490]  I'm not really sure why I did that.
[12:44.750 --> 12:47.890]  Maybe just to bounce the username off of the Internet
[12:47.890 --> 12:50.690]  to see if anything useful came back.
[12:50.690 --> 12:54.650]  Well, I found a user on Twitter with,
[12:54.650 --> 12:57.090]  believe it or not, the same username
[12:57.090 --> 13:00.010]  that had logged in over TeamViewer.
[13:00.530 --> 13:03.150]  Scrolling through their post history, I found,
[13:03.150 --> 13:06.890]  believe it or not, a post about the very key logger
[13:06.890 --> 13:09.050]  that was installed on our systems.
[13:09.570 --> 13:12.510]  So obviously, I doubled down on my efforts in OSINT
[13:12.510 --> 13:15.630]  for about an hour and pulled all kinds
[13:15.630 --> 13:17.510]  of relevant information.
[13:17.510 --> 13:20.510]  For example, we found an email address
[13:20.510 --> 13:22.930]  in the configuration for the key logger,
[13:22.930 --> 13:25.330]  where the logs were being pushed to.
[13:25.510 --> 13:27.770]  The Twitter user shared a Facebook account
[13:28.250 --> 13:30.410]  with several email addresses published
[13:30.410 --> 13:32.770]  with the same username.
[13:33.710 --> 13:36.110]  I found multiple references to nefarious stuff
[13:36.110 --> 13:39.190]  on the social media profiles linked to this person.
[13:39.310 --> 13:42.090]  I even found the same username dumping hashes
[13:42.090 --> 13:43.810]  on a cracking forum.
[13:43.810 --> 13:46.310]  And then, the breakthrough.
[13:47.090 --> 13:50.330]  An IP address was found in a TeamViewer log file
[13:50.330 --> 13:54.530]  that coincided with the time the external user logged in.
[13:54.870 --> 13:57.830]  I ran it through a quick IP geolocation search
[13:57.830 --> 14:00.030]  on Google and found it traced back
[14:00.030 --> 14:02.670]  to a small town in Ontario, Canada.
[14:02.810 --> 14:05.670]  The same small town both the Twitter
[14:05.670 --> 14:09.290]  and Facebook account were declared as being from.
[14:09.850 --> 14:13.210]  Now we're going to refer to the attacker as bad guy.
[14:17.550 --> 14:19.710]  I brought this to the attention of both
[14:19.710 --> 14:21.890]  the detective and the client.
[14:21.990 --> 14:24.410]  I put together a dossier of all the information I found
[14:24.410 --> 14:26.030]  and handed it over to both parties.
[14:26.030 --> 14:29.210]  I figured it'd at least be a good starting point.
[14:29.670 --> 14:31.410]  Here's where things get tricky.
[14:31.590 --> 14:33.870]  This person, referenced on social media,
[14:33.870 --> 14:35.990]  was actually known to the organization
[14:36.490 --> 14:39.390]  as being a person who was enrolled in their services.
[14:39.390 --> 14:42.130]  The story takes a brief pause here
[14:42.130 --> 14:45.990]  as the justice system lags behind the real world.
[14:46.250 --> 14:48.510]  Fortunately, in time, the municipal police
[14:48.510 --> 14:52.150]  were able to secure a search warrant for bad guy's house.
[14:52.510 --> 14:54.570]  On the arrival of police services,
[14:54.570 --> 14:58.170]  bad guy's devices were on and doing bad guy stuff.
[14:58.190 --> 14:59.370]  They were taken for analysis
[14:59.370 --> 15:04.850]  and bad guy confessed in full, on site.
[15:05.030 --> 15:08.450]  After a few weeks, the analysis came back.
[15:08.450 --> 15:11.590]  Bad guy's computers were full of all the usual stuff.
[15:11.690 --> 15:13.830]  VMs, multiple pirated keyloggers,
[15:13.830 --> 15:16.930]  PDFs with instructions, videos, all that stuff.
[15:16.930 --> 15:19.890]  Signed, sealed, and delivered. Right?
[15:20.070 --> 15:22.370]  Well, something happened.
[15:22.790 --> 15:26.770]  During the five months this process took to finally wash out,
[15:27.250 --> 15:29.790]  something must have happened.
[15:29.990 --> 15:31.590]  No question.
[15:31.630 --> 15:35.890]  I was told there was no question that bad guy was responsible,
[15:35.890 --> 15:39.210]  had conducted these unauthorized connections to the network,
[15:39.210 --> 15:41.970]  and that he had the means to do so at his ready.
[15:42.750 --> 15:47.170]  I wasn't told specifically why the charges were dropped,
[15:47.170 --> 15:49.650]  only that it would be difficult to prove
[15:49.650 --> 15:52.750]  his intent was malicious in nature.
[15:53.310 --> 15:53.870]  K?
[15:54.650 --> 15:56.530]  At the end of the day,
[15:56.530 --> 15:59.390]  I think this is how bad guy got his initial access.
[15:59.730 --> 16:02.550]  I don't think this was a particularly technical attack.
[16:02.550 --> 16:05.790]  I'm not nearly as skilled at detection and forensic stuff
[16:05.790 --> 16:07.770]  as some folks around here.
[16:07.770 --> 16:09.650]  But this is what I think happened.
[16:10.210 --> 16:13.130]  The organization didn't have hard policies in place
[16:14.590 --> 16:18.450]  about clientele using the organization's systems.
[16:18.970 --> 16:21.110]  I'd heard through the grapevine that this was happening,
[16:21.110 --> 16:22.730]  but you all know how that goes.
[16:22.730 --> 16:25.250]  An email goes out to leadership saying this shouldn't happen.
[16:25.250 --> 16:28.690]  The email goes down the chain, but at the end of the day,
[16:28.690 --> 16:31.230]  no policy equals no action.
[16:31.850 --> 16:34.330]  I believe bad guy had an opportunity at some point
[16:34.330 --> 16:37.470]  to either access the system directly or,
[16:37.470 --> 16:40.310]  which is the more likely scenario, just snapped a picture
[16:40.310 --> 16:43.330]  of the team viewer splash screen with a cell phone.
[16:43.630 --> 16:47.030]  They could have accessed the system, likely not locked or turned off,
[16:47.030 --> 16:50.030]  later on that night and started to infiltrate from there.
[16:50.030 --> 16:51.750]  But here's the kicker.
[16:52.150 --> 16:56.290]  Bad guy got his devices back and is back on site
[16:56.290 --> 16:59.890]  accessing services from the organization.
[17:00.110 --> 17:01.650]  So that's awesome.
[17:02.030 --> 17:05.650]  All told, we learned a pile of valuable lessons.
[17:05.770 --> 17:10.370]  We're a small shop, and yep, I've read about situations like this.
[17:10.490 --> 17:13.890]  I'd say we made it out lucky from a scenario
[17:13.890 --> 17:16.670]  that could have been much, much worse.
[17:17.010 --> 17:19.510]  Most of you will be able to read between the lines here
[17:19.510 --> 17:22.190]  and identify points of failure on our part
[17:22.190 --> 17:25.350]  that led to this type of breach being a possibility.
[17:26.350 --> 17:29.830]  I think the largest problem that small IT shops face
[17:29.830 --> 17:33.230]  is the juggling act required to keep all the elements
[17:33.230 --> 17:35.730]  of business equally sorted.
[17:35.730 --> 17:39.570]  I remember from the Blue Team Village last year,
[17:40.030 --> 17:41.550]  a panel on small business cybersecurity
[17:41.990 --> 17:43.870]  that touched on that.
[17:43.870 --> 17:47.650]  The concept that cybersecurity is sometimes left as an afterthought
[17:47.930 --> 17:50.790]  with some of our smaller clients from budget limits
[17:50.790 --> 17:53.950]  or lack of concern or understanding.
[17:53.950 --> 17:57.230]  But the same threats and outcomes still exist.
[17:57.930 --> 18:00.130]  At last year's DEF CON, I played a game of D&D
[18:00.130 --> 18:03.210]  with a guy who gave me a great little piece of advice.
[18:03.950 --> 18:06.170]  Present controls to mitigate risk
[18:06.170 --> 18:10.430]  and defer responsibility where those controls are not used.
[18:10.750 --> 18:13.270]  Right or wrong, I think it's a great starting point
[18:13.270 --> 18:14.650]  for guys like me.
[18:15.090 --> 18:17.210]  I think there's some use in talking about
[18:17.210 --> 18:19.690]  the after-action side of things, too.
[18:19.690 --> 18:22.230]  For the people that work in smaller environments
[18:22.230 --> 18:25.510]  and hail from smaller companies, I've seen a subtle gap
[18:25.510 --> 18:28.710]  that exists right before a certain sized organization
[18:28.710 --> 18:31.290]  where cybersecurity starts to matter more
[18:31.290 --> 18:33.470]  to the people in leadership roles.
[18:37.130 --> 18:39.430]  These are a couple things I've been doing recently
[18:39.430 --> 18:43.310]  that seem to help bring more hesitant people around to the idea
[18:43.310 --> 18:45.750]  of tightening up security around the network.
[18:45.970 --> 18:48.950]  If you're selling security services, this stuff might help you talk
[18:48.950 --> 18:52.150]  about your stack. But I think for anybody in a position
[18:52.150 --> 18:54.950]  where you're talking to end users about security,
[18:54.950 --> 18:57.570]  these three things might be a decent idea.
[18:58.130 --> 19:01.690]  Define the why. Really, I'm trying not to use LinkedIn
[19:01.690 --> 19:03.850]  like business speak here.
[19:03.850 --> 19:06.470]  I've used this specific idea.
[19:06.750 --> 19:10.810]  It works for me. Chip away at the organization's goals
[19:10.810 --> 19:13.210]  until you can directly attach data security
[19:13.210 --> 19:16.310]  to the primary function of the business.
[19:16.310 --> 19:19.570]  Forests Ontario is a local nonprofit
[19:19.570 --> 19:22.430]  that I pulled off of Google. They help rebuild forests
[19:22.430 --> 19:25.190]  around here. They have the following goal.
[19:26.150 --> 19:28.710]  Forests Ontario is dedicated to making Ontario's
[19:28.710 --> 19:31.830]  forests greener. Our ambitious tree planting
[19:31.830 --> 19:34.470]  initiatives, extensive education programs,
[19:34.470 --> 19:37.630]  and decades of community outreach have resulted in millions
[19:37.630 --> 19:40.390]  of trees being planted each year.
[19:40.390 --> 19:43.930]  You could just as easily write a few edits into that statement
[19:43.930 --> 19:46.610]  when talking to shop callers about security
[19:46.610 --> 19:50.430]  to start emphasizing the importance of security.
[19:50.430 --> 19:53.070]  For example, Forests Ontario is dedicated
[19:53.070 --> 19:56.110]  to making Ontario's forests greener.
[19:56.150 --> 19:59.070]  Our ambitious tree planting initiatives, extensive education
[19:59.070 --> 20:02.150]  programs, and decades of community outreach are
[20:02.150 --> 20:05.050]  powered by scheduling software, email, and
[20:05.170 --> 20:07.990]  a company fleet of laptops, and have resulted
[20:07.990 --> 20:11.250]  in millions of trees being planted each year.
[20:11.250 --> 20:14.410]  I've used this approach to help frame cybersecurity
[20:14.410 --> 20:17.790]  not as an element of IT infrastructure or something
[20:17.790 --> 20:20.630]  that happens in the server room, but as the starting
[20:20.630 --> 20:23.570]  point to building a culture within the
[20:23.570 --> 20:26.590]  organization that values security as part
[20:26.590 --> 20:29.430]  of how the whole thing runs. Without
[20:29.430 --> 20:32.610]  cybersecurity, we can't do the things we're trying
[20:32.610 --> 20:33.790]  to do.
[20:35.050 --> 20:38.370]  Find a framework. Most of the smaller
[20:38.370 --> 20:41.410]  organizations I see out there have very,
[20:41.410 --> 20:44.590]  very little security infrastructure. Most
[20:44.590 --> 20:47.870]  have next to zero staff training.
[20:47.890 --> 20:50.450]  Most rely on the IT guy to just do
[20:50.450 --> 20:53.550]  the security magic and do it quietly and do
[20:53.550 --> 20:56.270]  it cheaply. Find a published
[20:56.270 --> 20:59.410]  framework that you can use to better explain why
[20:59.410 --> 21:02.230]  you're introducing security controls
[21:02.230 --> 21:05.470]  that cost cash and convenience.
[21:05.470 --> 21:08.650]  For instance, we found the baseline cybersecurity
[21:08.990 --> 21:11.870]  controls for small and medium organizations
[21:11.870 --> 21:14.830]  from the Canadian federal government to be of great
[21:14.830 --> 21:17.650]  help with both translating some of the technical
[21:17.650 --> 21:21.190]  side and actually implementing controls.
[21:21.430 --> 21:23.590]  I found even if the
[21:23.590 --> 21:26.550]  client calls you to help set up and
[21:26.550 --> 21:29.590]  secure a network, a written and industry
[21:29.590 --> 21:32.710]  accepted framework can help, as Jocko Willink might
[21:32.710 --> 21:35.850]  say, prioritize and execute a short
[21:35.850 --> 21:38.550]  list of must-haves from a long list
[21:38.550 --> 21:40.870]  of would-be controls.
[21:41.950 --> 21:45.110]  Lastly, start talking about it.
[21:45.310 --> 21:47.570]  This seems really obvious. Out there
[21:47.570 --> 21:50.310]  in the offices, I see a common theme
[21:50.310 --> 21:53.850]  between most of our clients. Some just
[21:53.850 --> 21:56.810]  give us money to fix the blinky lights. Others
[21:56.810 --> 21:59.710]  want us to verify that we're using every minute
[21:59.710 --> 22:02.730]  of each build hour. The thread that runs
[22:02.730 --> 22:05.650]  between them is this. When I talk to them about
[22:05.650 --> 22:08.190]  security, they tend to listen.
[22:08.690 --> 22:11.430]  Now, that doesn't always translate into putting better
[22:11.430 --> 22:14.310]  practices in place, but I can usually
[22:14.310 --> 22:17.690]  at least get a window to speak at a staff
[22:17.690 --> 22:20.590]  meeting, to start building that foundation at the
[22:20.590 --> 22:23.730]  very base of the organization, and
[22:23.730 --> 22:27.450]  at least start the conversation about cybersecurity.
[22:28.170 --> 22:30.650]  This seems like a given, to just talk
[22:30.650 --> 22:33.910]  about security. Too often, though, our clients
[22:33.910 --> 22:36.750]  are caught up in the grind of their day job, and
[22:36.750 --> 22:39.670]  they don't have time to worry about security.
[22:40.010 --> 22:42.690]  More often still, users assume the responsibility
[22:42.690 --> 22:45.930]  of security falls onto the guy in the server room,
[22:45.930 --> 22:48.290]  not the person at the reception desk.
[22:49.290 --> 22:51.810]  Purposefully bringing a quick briefing on cybersecurity
[22:51.810 --> 22:54.430]  to monthly staff meetings or as part of a smaller
[22:54.430 --> 22:57.590]  team meeting helps keep that topic on the table.
[22:58.870 --> 23:01.890]  One of the benefits of security,
[23:01.890 --> 23:04.050]  cringy as it might be to some of the guys
[23:04.050 --> 23:06.890]  who have been around DEF CON forever, is that
[23:06.890 --> 23:09.710]  information security still has that cool factor
[23:09.710 --> 23:12.570]  to a lot of people who don't directly work in IT
[23:12.570 --> 23:15.550]  or around security. If you really put some
[23:15.550 --> 23:18.210]  investment into bringing security into the
[23:18.210 --> 23:21.330]  conversation, like any other part of your life,
[23:21.330 --> 23:23.030]  it pays you back.
[23:24.310 --> 23:27.490]  I have to say, speaking at DEF CON is an absolute
[23:28.150 --> 23:30.790]  moonshot for me. There are times
[23:30.790 --> 23:33.410]  I had felt like one of the only guys in my town
[23:33.410 --> 23:36.450]  that was interested in hacking. From a place
[23:36.450 --> 23:39.430]  of true gratitude, I thank you all
[23:39.430 --> 23:40.750]  for the opportunity.
[23:41.990 --> 23:45.950]  The hard lesson to learn is where your weaknesses are.
[23:46.310 --> 23:48.110]  Working through the breach last year
[23:48.110 --> 23:52.490]  served to detail exactly where our failures were.
[23:52.630 --> 23:54.730]  Since this event, I've started to swing
[23:54.730 --> 23:57.270]  for some certifications. I've fundamentally
[23:57.270 --> 23:59.090]  shifted my focus.
[23:59.860 --> 24:02.910]  At the end of the day, it's all up to you.
[24:02.910 --> 24:05.010]  And nobody's coming to save you.
[24:05.530 --> 24:08.150]  Please feel free to DM me on the BTV Discord
[24:08.150 --> 24:12.370]  or drop your questions in the BTV Discord so I can respond.
[24:12.410 --> 24:15.340]  With collectives like the Blue Team Village,
[24:15.340 --> 24:18.560]  we can fortify ourselves to meet real world
[24:18.560 --> 24:22.420]  challenges, even if we're not fully ready to fight.
[24:22.500 --> 24:24.420]  Because we have to.
[24:24.540 --> 24:25.940]  Thank you.
